Image courtesy of Gawker
Gawker has published a story about a breach that exposes 114k iPad 3G users and say that there could be more than that. Among those who have been identified with their email addresses, we can find high profile names like Diane Sawyer, Harvey Weinstein or Michael Bloomberg. The type of data leaked included email addresses and a hardware unique identifier (ICCID).
Although Gawker says that ultimate responsibility lies with Apple, it looks like an AT&T security weakness was exploited in this case. This is also unclear how this breach would affect sales, but I suspect that just like the Facebook privacy issues, this won’t really affect sales in a dramatic way – if at all.
What’s more interesting is who did it and how: A group called Goatse Security has exploited a script that is publicly available on an AT&T website. If provided with an ICCID, it would return the associated email address. The ICCIDs are not that hard to guess because all it takes to generate variants of known IDs. After the fact, the group notified AT&T – and the hole was plugged.
Clearly, AT&T’s security is at fault here, and it is shocking that this script did not have a restricted access. Fortunately, the damage seems limited to emails (which can be bad enough arguably) and no financial or (other) personal information was leaked. If you want to get all the little bits, check Gawker’s article, it is quite interesting.